Well, let's I explain:
I have a web app where administrator could organize users in logical
groups. Then, administrator delegates roles to these groups.
The "roles" table is fixed, and is exactly equal to roles declared in
web.xml, and administrator has no "window" to put new roles there.
The "groups" table isn't fixed, and administrator could create as many
groups as he wants, and put any user in how many groups he desires.
I solved the problem mapping my "roles" table to de server-roles, and
using the "select username, group from userGroups where username=?" as
"select username, role from autorizationView where username=?", and
creating the mappings like:
<role role-name="admin">
<principal name="admin" designated-run-as="true"
class="org.apache.geronimo.security.realm.providers.GeronimoGroupPrincipal"/>
</role>
<role role-name="editor">
<principal name="editor" designated-run-as="true"
class="org.apache.geronimo.security.realm.providers.GeronimoGroupPrincipal"/>
</role>
<role role-name="user">
<principal name="user" designated-run-as="true"
class="org.apache.geronimo.security.realm.providers.GeronimoGroupPrincipal"/>
</role>
So, for every role declared in web.xml, I have one role in "roles" table
and one mapping in geronimo-web.xml, so I can have variable number of
groups.
Thanks for clarifications. My web app is running as good as it run on
Tomcat right now.
Richter
